On Fri, Jan 13, 2006 at 02:05:12PM +0100, Volker Lendecke wrote:
> What we can reliably do is to provide correct group lists for users that have
> authenticated via winbind.
From irclog:
01/13/06 17:52:13 <vl> This is a tough one I think.
01/13/06 17:52:38 <vl> We have to decide between 'do your best' and rely on
Windows allowing us to and 'do the safe thing' and restrict functionality.
01/13/06 17:55:38 <coffeedude> vl: How about keep the current behavior for
non-winbind accounts and for "force user = domain\user" simply use the uid and
'domain users' as the sole group. It would at least be consistent. And as
long as we prepare people for what to expect, it should be ok.
01/13/06 17:56:06 <vl> Can I quote you on that? That's exactly what I had hoped
for :-)
01/13/06 17:56:08 <coffeedude> vl: I just hate chasing the "sometimes it works
and sometimes it doesn't" bugs.
01/13/06 17:56:28 <vl> Me too.
01/13/06 17:56:40 <coffeedude> vl: Yup. You can quote me.
01/13/06 17:56:44 <vl> :-)
01/13/06 17:57:11 <coffeedude> vlThere's just no way to get the group
membership semantics to consistenty work in all environments with winbind users
and MS hotfixes.
01/13/06 17:57:26 <vl> Yes, that's what I'm saying
01/13/06 17:57:27 <vl> I'd change the 'force user' code to do our new, fancy
lookup_name call and decide according to the SID?
01/13/06 17:57:46 <vl> This way we get rid of the 'winbind use default domain'
problem quite nicely as well.
01/13/06 17:58:53 <coffeedude> vl: ok. sounds acceptable.
So 'force user = winbind-user' gets a uid and "domain users" as RID. No
supplementary groups.
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060113/32c601e7/attachment.bin